Developing and implementing a continuous monitoring plan (CM) is a crucial part of your cyber security program. A CM plan should help you identify if your organization’s security controls continue to be effective over time, as things change and evolve.
What Should Be Included in a Plan
Your CM plan should include the capability to dynamically provide near real-time security status-related information to key members of an organization. This could include software vulnerabilities, network and system-level configuration changes, policy changes, and any control-based inconsistencies.
As great as the concept is, a well-defined CM plan can be very hard to implement. There simply isn’t a standard template available for every organization to use. Without the appropriate planning for security controls, preferably early in the system development life cycle, and the correct implementation of those controls, an under-developed plan can leave you with a false sense of security and awareness.
Identifying Critical Assets
There are many challenges associated with the roll-out of a CM plan. A strategy should be developed that provides visibility into assets and awareness of vulnerabilities for all departments within the organization.
Identifying and organizing your critical assets is essential to the CM process. This may include interviewing leaders within the business organization to gain an understanding and awareness of the business goals and objectives, identifying areas where problems exist, and understanding results from any prior security assessments.
For example, it should be clear across all the departments what assets are categorized as high, medium, and low, from a criticality aspect. Along with identifying critical and key assets, there should be a policy associated with how often these assets should be scanned, how long data should be retained, and how often data should be analyzed.
Performing Risk Analysis
Another major challenge when implementing a continuous monitoring plan is performing risk analysis and reporting. Risk management is going to be different and unique for each organization, however, metrics and values need to be identified based on your business requirements. Based upon the risk tolerance levels, security teams should be able to easily identify, analyze, and report these metrics to business leaders so that they can be aware and make well informed risk-based decisions.
Some examples of metrics may include:
- Risk scoring values
- Compliance and governance
- Risk tolerance level
- Consequences (due to a compromise)
Without these types of metrics, it can be difficult to perform a clear and concise analysis for decision-makers.
Lastly, selecting the correct selection of tools can often be difficult. The importance of each tool and its effectiveness is going to be different for each organization. Security teams need to know what to monitor, how to monitor, and where to monitor activity on the network.
Initially, it was tough to find tools that supported CM initiatives, however over the past few years, vendors have developed tools that are in-line with CM policies and strategies. One example is Security Content Automation Protocol, or SCAP, reporting. This includes the ability to deploy agent-based or agentless tools to support system configuration management, the capability to perform authenticated and unauthenticated vulnerability scans, and being able to scan for code or back-end issues in near real-time.
Nowadays, it’s more of a matter of how much of your budget is set aside for CM. It can also depend on the skill level of your security staff. In many cases, certain functionalities can be developed “in-house” as add-on capabilities to the current IT applications and software.
Implementing a continuous monitoring plan can be a daunting task and, although no system is 100 percent safe from potential security threats, it’s key to take the necessary steps to be aware of the ever-changing threat landscape. These steps include understanding the business goals and objectives. Once these goals and objectives can be identified more effort can be put into determining the right CM solutions to meet your business needs.
Most organizations or businesses don’t have the resources or the time to maintain expensive, noisy security information and event management (SIEM) solutions and staff a security operations center capable of investigation and incident response around the clock. SOC-as-a-Service is one solution that many organizations have turned to for continuous monitoring because it provides visibility across an entire network, endpoint devices, and cloud applications and infrastructure.
A cloud-based security orchestration and automation platform, like the one we’ve developed at Delta Risk, cuts down on the noise and prioritizes threats for our security analysts in our SOC to investigate. You can choose a fully managed, co-managed, or hybrid model, to get continuous monitoring at a fraction of the cost of building and staffing your own SOC.